Help with aggregate filter


(Mazhar) #1

Hi,

I have the following event to which I need to apply aggregation on "Logon ID",

------- SAMPLE -----
message:An operation was performed on an object. Subject : Security ID: S-1-5-18 Account Name: JB5VN3$ Account Domain: DMN Logon ID: 0x3E7 Object: Object Server: WMI Object Type: WMI Namespace Object Name: root\cimv2\security\MicrosoftVolumeEncryption Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Unknown specific access (bit 0) Unknown specific access (bit 1) Access Mask: 0x3 Properties: - Additional Information: Parameter 1: Local Execute (ExecMethod) Parameter 2: root\cimv2\security\MicrosoftVolumeEncryption:\JB5VN3\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID="\\?\Volume{5db1b1c2-86a2-477c-a30a-0eef37ba7c31}\"::GetConversionStatus type:wineventlog

I have the following filter defined,
filter {
grok {
match => [ "message", "%{SECURITYID:security_id} %{ACCOUNTNAME:account_name} %{DOMAIN:domain}" %{LOGONID:logon_id}" ]
}
aggregate {
logon_id => "%{login_id}"
msg_txt => "%{security_id} + %{account_name} + %{domain}"
push_map_as_event_on_timeout => true
}

The aggregation is not working, can somebody guide me

//Mazhar


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.